About:blank again? Can U look at my HJT log please?

Does you SBC connection require any special setup (like a proxy or anything else) that you may need to set in other browsers manually. That's the only thing I can thing of other than the firewall blocking them from having access. If it was just IE, I would think there is another issue. But since FireFox and Avant do not work either, I have to guess firewall or a configuration setting for your ISP.

I don't know what Gateway was referring too. Where was it that they supposedly saw something named "1"? There is nothing loading that we can see in your HJT log. Are you saying you saw it by looking in msconfig? Where exactly? Which tab was it on?

about:blank is showing on Avant because you are not connecting to anything and it is probably the default page for it to load. None of your logs have ever shown any signs of an about:blank hijacker.

Please do the following. Download WinPFind

Extract it to the root folder of drive C ( C:\ ). This will create a folder called WinPFind in the C:\ folder. Inside c:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.

When it is done, it will show the results of the scan. Click on the Copy to Clipboard button and then paste the contents of the log in your clipboard. Then save it to a file using notepad and upload the text file here as an attachment.

 

You need to post a new HJT log. You have some nasty stuff showing in the WinPfind log that we need to fix but I want to see a current HJT log at the same time. There also seems to be some additional remnants of the HSA hijacker hanging around.

 

You must not have any browsers running when you run HijackThis. You had the below running:
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe


Are the IP address in the below line valid for you. Is show some info about them further down.

O17 - HKLM\System\CCS\Services\Tcpip\..\{5C5AAA95-C6A4-4BD5-8CA8-A8E0809114F7}: NameServer = 69.50.161.132,85.255.112.15

Code:

[url="http://samspade.org/t/whois?a=69.50.161.132;server=auto"][color=#0000ff]69.50.161.132[/color][/url] = [ [url="http://samspade.org/t/whois?a=69.50.161.132-custblock.intercage.com;server=auto"][color=#0000ff]69.50.161.132-custblock.intercage.com[/color][/url] ] 
  network: Class-Name: network 
  network: Auth-Area: 69.50.160.0/19 
  network: ID: 1160946048/29 
  network: Handle: CUSTBLK-69-50-161-128-29 
  network: IP-Network: 69.50.161.128/29 
  network: IP-Network-Block: [url="http://samspade.org/t/whois?a=69.50.161.128;server=auto"][color=#0000ff]69.50.161.128[/color][/url] - [url="http://samspade.org/t/whois?a=69.50.161.135;server=auto"][color=#0000ff]69.50.161.135[/color][/url] 
  network: Org-Name: Yuval Mikhlin 
  network: Street-Address: 41 Halstead Street 
  network: City: Caulfield 
  network: State: North Victoria 
 

OrgName:	RIPE Network Coordination Centre 
OrgID:	  [url="http://ws.arin.net/cgi-bin/whois.pl?queryinput=O%20!%20RIPE"][color=#0000ff]RIPE[/color][/url]
Address:	P.O. Box 10096
City:	   Amsterdam
StateProv:  
PostalCode: 1001EB
Country:	NL

ReferralServer: whois://whois.ripe.net:43

NetRange:   [url="http://ws.arin.net/cgi-bin/whois.pl?queryinput=85.0.0.0"][color=#0000ff]85.0.0.0[/color][/url] - [url="http://ws.arin.net/cgi-bin/whois.pl?queryinput=85.255.255.255"][color=#0000ff]85.255.255.255[/color][/url] 
CIDR:	   85.0.0.0/8 
NetName:	[url="http://ws.arin.net/cgi-bin/whois.pl?queryinput=N%20.%2085-RIPE"][color=#0000ff]85-RIPE[/color][/url]
NetHandle:  [url="http://ws.arin.net/cgi-bin/whois.pl?queryinput=N%20!%20NET-85-0-0-0-1"][color=#0000ff]NET-85-0-0-0-1[/color][/url]
 

 

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\winnt\System32\popcorn72.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\winnt\System32\msblank.html
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [ControlPanel] C:\winnt\System32\popcorn72.exe rundll.dll,LoadMouseProfile
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\winnt\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\winnt\web\related.htm

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\appqv.exe.bad
C:\msqz.exe.bad
C:\winnt\mstn32.exe
C:\winnt\sdkqd32.exe
C:\winnt\sdkqn32.dll
C:\winnt\System32\yaemu.exe
C:\winnt\SYSTEM32\ccfgmnt.exe
C:\winnt\SYSTEM32\certcclie.exe
C:\winnt\SYSTEM32\dgprpsetup.exe
C:\winnt\SYSTEM32\popcorn72.exe
If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log. And tell us how things are working. Also get another WinPfind log and post it.

 

Okay now have HJT fix the below line (do not click fix until all browsers are closed):

O4 - HKLM\..\Run: [yaemu.exe] C:\winnt\System32\yaemu.exe


Then boot into safe mode and double check that the C:\winnt\System32\yaemu.exe is really deleted.

Now reboot into normal mode and post a new HJT.

 

You can but any of MG's tee shirts or sweatshirts: see http://www.jinx.com/scripts/products.asp?affid=30

Other than that, send all your friends this way for help and also for file downloads.

I do not see any malware in your HJT log now, but I wonder why I see:

C:\Program Files\Symantec\LiveUpdate\AUpdate.exe

running on your system. Do you have any Symantec software still installed? If not, perhaps you should look to uninstall this if shown in Add/Remove programs.

I also don't understand why:

C:\Program Files\Alwil Software\Avast4\setup\avast.setup

would still be running.

Have you updated Ewido lately and run a full scan with it?